Authentication and Authorization Through the Ages

00. Introduction

Often, when we discuss cybersecurity, we are laser-focused on the latest crisis sweeping the industry. We discuss specific ongoing attacks and their potential remedies. While it is important for those of us who live and breathe security daily to be aware of emerging threats, our reactive approach incentivizes fast solutions over innovative solutions.

To the uninitiated, it may also seem frustrating that we are repeatedly confronted by vulnerabilities that, seemingly, should have been solved by now. However, this is a fundamental misunderstanding of cybersecurity as being a technology problem. It's a human problem. And, no, we're not "blaming the user," we mean that it's a sociological and philosophical problem that is broader than the technology at hand.

The core challenge is one of trust: Whom to trust? With what information? For how long? When the object of that trust is not known to us personally, it is impossible to answer those questions with 100% certainty. We can never truly know the mind of another. We are forced to navigate the challenge of offering and rescinding trust with our best guesses in each situation. We get it right most of the time, but we get it wrong more often than we like to admit.

Modern cybersecurity, in this author's humble opinion, is thus better explained as the current evolution of a set of challenges that have plagued humanity since we first formed social groups. Examining a few of them reveals just how old those challenges truly are, and cements that they are not technological; they are human. Recognizing this fact reveals that cybersecurity is an ever-changing field not because its practitioners are incompetent or even because the adversaries are smarter. It is ever-changing because the scale of human interaction is growing. The distance and degree over which humans regularly interact has exploded in the last century and a half. This has been a wonderful development for many areas of life, but it also means that many of the ways we built and maintained trust in smaller communities haven't scaled reliably. As the world of human communication and reach grows, solutions to the problem of trust must continually evolve to meet its new scale and complexity. Let's take a trip back in time, gain an understanding of trust from the beginning, and use it to shape our understanding of where things need to go in the future.

01. Tracing Identity, Authentication, and Authorization Through History

Identity had humble beginnings. At first, only those in your family and tribe who recognized your face or your voice could identify you. You grew up with your tribe members. You knew them well, and trust (or mistrust!) came automatically. Few individuals ever travelled alone, and fewer still ventured far from the spot where they were born. As such, this system of identification and trust didn't have many serious issues. It was reliable, long-lasting, and rarely prone to error or infiltration.

Until roughly 12000 years ago¹, it was as simple as that. The identity "data breach" was simply impossible.

Then agriculture came, and with it, the ability for larger groups of humans to form permanent settlements. Over the ensuing 3 millennia, these settlements grew, and trade between them began. The clan gradually gave way to the civilization. Problems of scale reared their heads for the first time. People needed to identify themselves to others whom they had never met. As settlements grew, they gradually encountered other settlements. It was then that many of the concepts we still rely on today began to take shape:

1. The first challenge was merely how to identify yourself in a standardized way.

   1. At first, it took the form of stamps emblazoned with a name or familiar sigil. Sigils themselves date back to the neolithic period of the Stone Age, but in that period, they were generally symbolic representations of deities; not real people. The first recorded example of a signature is the circa 3000BC stamp of "Gar Ama," a Sumerian scribe who stamped his name on the back of a clay tablet.² It is the world's oldest known signature of any kind. The earliest known ink signature is that of the Egyptian scribe Amen'aa from 2130BC.³ While signatures allowed a writer to identify themselves, they didn't do much else; especially for a recipient who had never seen the signature before and therefore couldn't judge its authenticity.

   2. Much later, in the Middle Ages, came complex, delicate wax seals. These could be imprinted with a sigil too and used to seal the communication closed. Their contribution was that they could both prove the origin of the communication as well as detect what we would now call "man-in-the-middle" attacks such as interception and message tampering. These are modern terms for those issues, but they were all problems faced by humanity long before the first spark of controlled electricity crossed a gap. However, seals could be forged more easily than ink signatures, so they began to be used in combination.

   3. In 1677, the British Parliament passed the Statute of Frauds Act which made written signatures mandatory on all legal contracts and superseded the use of seals alone for this purpose.² In modern terms, one might consider this pairing of seals and signatures something quite familiar: multi-factor authentication. There was a factor the user had to produce from memory and another (the seal) that they had to possess. For a time, people were now reliably authenticated.

2. However, neither of these methods could prove the validity of any claims that someone was making about themselves in the text of such a message or contract. People needed some trustworthy, 3^rd party reference to convince them to establish trust in you and your claims about who you were and what you were capable of doing. Even in today's digital space, we still call these assertions "claims," and when we perform single sign-on we place our trust in a 3^rd party to vouch for the authenticity of users' claims.

   1. In the beginning, this took the form of physical introductions brokered by someone known to both parties. Later, this took the form of letters of introduction, written by the trusted third party and carried by the person looking to authenticate themselves. It is hard to know precisely how far back this practice began, especially in informal settings.

   2. However, in the 16^th century, jurist Pierre Ayrault and others formalized the process for use in international diplomacy. These letters, known as Letters of Credence (belief), are still used (albeit as somewhat of a tradition) in the world of diplomacy. They identify an ambassador and ask that the receiving head of state accept their claim to be the authorized diplomatic representative in the foreign country. Letters Patent also used complicated wax seals in which part of the letter's physical material was embedded to prove authenticity and detect fraud.

   3. Letters of introduction continued as a common practice in much of society through the 19^th century, and even into the 20^th. It peaked in the 19^th century due to the explosion in travel and migration that steamships and railroads permitted ⁴. Even today, letters of recommendation are a key part of many application processes. But, as trade grew around the planet, this really couldn't handle the wide range of people and interactions that needed to take place. A new problem of scale had arisen that needed solving.

3. In times of war, time was of the essence. One simply could not write a letter for every single soldier moving around the battlefield. So, often, codewords or code phrases were developed to allow allies, and especially spies, to identify one another. It eliminated the need to carry specific items that could be lost or damaged, and it also allowed for plausible deniability since the secret information was locked away in the spy's head. This helped to protect the messenger in addition to proving their identity. So, the password came into being. The first known use was by Roman legions who used "an elaborate system of watchwords" that enabled the guards standing watch at Roman garrisons to identify unknown arrivals as friendly.⁵ Often, these were rotated on a nightly basis. Quite the password policy, especially when forgetting the password could have deadly consequences.

4. Another necessity of war was to protect not just the messenger but also the contents of the message itself. As early as 1379, pre-shared codebooks began to be used to encipher and decipher messages between parties to protect their confidentiality as they exchanged sensitive, strategic information.⁶ Third parties lacking the codebooks were completely unable to interpret messages that they intercepted. The encryption we rely on today was born on paper.

5. In more modern times, as governments and societies became more stable, large groups of people could look to state institutions to take on the role of the trusted 3^rd party who could identify an individual reliably to any other individual. An early iteration of a passport was introduced into law by Henry V of England with the Safe Conducts Act of 1414.⁷ The first photographic ID would make an appearance in 1876.⁸ Thus, the ID card was born.

02. Identity in the Information Age

As we can see, the challenges of an ever-wider, more complex, more dangerous world forced evolutions in how we present ourselves to one another, but the core challenges have remained unchanged throughout the ages. This trend continues.

It's no surprise, therefore, that when the information age arrived, we encountered the same challenges in the digital realm that plagued us in the physical one: A system that was built on trust between known parties quickly scaled to a size where millions of strangers were interacting all over the globe. We needed to adapt the paradigms that had been used for millennia for use on The Information Superhighway.

We created passwords (like the watchwords of old), certificates of authenticity (like the letters of credence before them), and advanced encryption to replace physical codebooks and analogue machines.

The digital age has brought a speed and scale that would have been unimaginable to our forebears, and so as the evolution of technology progresses, we are encountering new challenges that will need to be addressed.

Often, in the world of business, we need to know things about users that aren't necessarily contained in their government-issued IDs: Employers may need to know educational information and be able to store information about the user's management hierarchy and access rights. Businesses also want to store information about customers that can be tied to their identities: order histories, financial info, etc. This is all valuable data that might be of interest to competitors and thieves.

Before the internet, companies protected such directories of physical data with physical security. After all, the data was still physical. Computerized data was largely stored and protected on physical punch cards. The concept of it being stolen by a thief sitting thousands of miles away was unthinkable, because it was impossible. Of course, this meant that legitimate users also needed to physically retrieve the data from where it was stored; or a nearby terminal connected by a cable to a mainframe. The desire to exchange data over the internet necessitated a change.

In the context of identity, this led to the creation of online identity directories to allow employers to store this information about their employees and customers so that they, and applications they administered, could authenticate and authorize their users from anywhere. It also allowed thieves to steal it from anywhere; sometimes with the password of a legitimate employee gained through deception. Our tribal ancestors fished with fine thread. These thieves phished with phones and emails. It is believed that the earliest attacks were perpetrated by hackers impersonating employees on America Online (AOL). These attackers would use their masquerade as employees to convince customers to share their private account information over the then-nascent Instant Messenger.⁹

Knowledge of a password no longer provided enough assurance of the identity of online users. We needed something that a remote attacker couldn't possibly have. Multi-factor authentication was, as it was in 1677, the answer. It comprised something the user knew and something the user physically possessed. The password protected against a lost physical item, and the physical item protected against a wrongly shared password. The combination of knowledge and possession provided a potent defense against attacks from across the globe, but it also severely impacted the ease with which legitimate users could identify themselves.

Problem solved, right? For a while, yes! Then, the attackers got clever: if they could convince a legitimate user to give up their password, why not their multi-factor authentication information? The real genius of the thieves was to think big. Why go after individual users at companies around the world, when they could go after the source of nearly all the multi-factor tokens in use at the time: RSA. The attack, which at the time was one of the most sophisticated and damaging ever perpetrated, saw the theft of all the cryptographic seeds that RSA used to protect its SecureID multi-factor authentication solution. It introduced the world to the power of state-sponsored hacking, supply chain attacks, and the true power of phishing. The entire attack, which nearly leveled a global company in the United States, began with an employee in Australia being tricked into opening an infected file they had been emailed.¹⁰ It would be far from the last example of any of these attacks.

The uncomfortable truth, it turns out, is that the weakness isn't the latest technology: the weakness is us. If you can hack the human, and the human can override the system, then you don't need to hack the system. Humans and their identities are the true security perimeter to everything we are trying to defend.

In the age of social media, users now favor convenience and cheapness over privacy—speed over security. They trade their most sensitive identity data for the sake of free access to services. Users trust social media companies to store and provide identity data to other parties. The problem is that those social media companies often sell that data to other 3^rd parties that users have never explicitly authorized.

This misplaced trust in certain 3^rd party service providers has led to fraud, theft of data, illegal sale of data, and even government human rights violations through the misuse of data to track citizens. If that wasn't bad enough, the fraud can be committed from the other side of the planet and without the user's knowledge.

This challenge is forcing us to once again re-think how we identify ourselves. We need to be able to maintain high confidence in the people with whom we interact, but we must make the process easy enough to use such that users actually want to interact with us in the first place.

Beyond the ongoing arms race between hackers and providers that we see play out in the news, this is the fundamental situation that is leading to new advances in digital identity.

03. Taking Steps Towards the Future of Identity

As we design these new solutions, we want to solve for three main areas:

1. Stop using Roman Watchwords: Passwords are only as strong as the person entrusted with them. We want to prove that you are you in some other way. Biometrics is one obvious potential solution.
2. Ensure Device-based Trust: We want to prove possession of a unique item, but copying and typing codes is painful. Asymmetric cryptographic keys, protected within special hardware and tied to your biometrics provides an even better approach that isn't vulnerable to an RSA-style attack.
3. Stop centralizing sensitive data: Directories aren't going away soon, but the practice of combining sensitive attributes about users with their actual credentials must stop. These have been stolen from large, centralized directories repeatedly. We need a better way to find out about you, without putting you at risk. Storing some of this data with you directly is much safer, and having it cryptographically notarized by a trusted third party allows us to establish and maintain trust.

Now that we have placed the current challenges of the identity space in their historical context, join us for our next post to explore these current challenges in a bit more depth, and learn what the future will hold.

04. Resources and Additional Reading